ASP, IIS Security Vulnerability
When ASP rapidly flexible, simple, practical, powerful features quickly popular global websites, the vulnerability, vulnerability is also threatening all website developers, and then introduced some IIS system vulnerabilities and After the security issue of ASP, this issue will be detailed for the latest ASP, IIS security vulnerability, please pay close attention to all ASP website developers, and be vigilant.
At the beginning of this month, Microsoft was once again accused of paying attention to the security issues of Web server software from them. There is a defect known as "illegal HTR request" in Microsoft's Popular Product IIS Sever 4.0. According to Microsoft, this defect can cause any code to run at the server side in a particular case. But with the discovered Internet security company EEYE's CEO FiRAS Bushnaq's CEO FiRAS Bushnaq said: This is just a horns in the iceberg. Bushnaq said Microsoft concealed some cases, such as hackers can use this vulnerability to completely control the IIS server, and many e-commerce sites are based on this system. The following Rosa lists the details of the IIS system vulnerability:
IIS's latest security vulnerability
Affected system:
Internet Information Server 4.0 (IIS4)
Microsoft Windows NT 4.0 SP3 Option Pack 4
Microsoft Windows NT 4.0 SP4 OPTION PACK 4
Microsoft Windows NT 4.0 SP5 OPTION PACK 4
Announcement date: 6.8.1999
Microsoft has confirmed this vulnerability, but there is currently no available patches.
Microsoft Security Announcement (MS99-019):
Topic: "Nomant HTR Request" Vulnerability
Published: 6.15.1999
Summary:
Microsoft has confirmed that there is a serious system vulnerability in its released web server product Internet Information Server 4.0, which leads to the "service rejection attack" of the IIS server. In this case, it may cause any 2 credits in the server. Run. Patches on this vulnerability will be released in the near future, please pay close attention to all IIS users. Vulnerability introduction:
IIS supports multiple file types that require server-side processing, such as: ASP, ASA, IDC, HTR, when a web user requests such files from the client, the corresponding DLL file will automatically process it. However, there is a serious security vulnerability in the file that is responsible for handling the HTR file. (Note: The HTR file itself is used to remotely manage user passwords)
The vulnerability contains a buffer that is not verified in ISM.dll, which may cause two threats to the security operation of the web server. First, it is a threat from the service refusal attack. A request from abnormal pairs .htr file will result in cache overflow, which directly leads to IIS crash. When this happens, there is no need to restart the server, but the IIS web server must restart. Another threat is more headache, by using a well-constructed file request will be able to use standard cache overflow to cause 2 credits to run on the server side, in this case, everything possible! This vulnerability does not include a .htr file that provides functions to manage user passwords. Principle analysis:
At least in an IIS extension (eg, ASP, IDC, HTR) overflow. We speculate overflow happened when IIS passed the full URL to the DLL to process the extension. If the ISAPI DLL does not have the correct check limit range, it causes inetinfo.exe to generate an overflow, and the user can perform 2 credits remotely. Attack method: Send an HTTP request to IIS: "Get / [Overflow].htr http / 1.0", IIS will crash. Here [overflow] can be 3K long code.
Everyone may be is not very familiar with the .htr file, in fact IIS has the ability to make NT users through the web directory / Iisadmpwd / change their password. This function is implemented by a set of .htr files and ISAPIs: ism.dll implementation. When a complete URL is passed to ISM.DLL, since there is no appropriate size limit, the overflow is generated, thereby causing the server to crash. HTR / ISM.DLL ISAPI is the default installation of IIS4. Solution: Since Microsoft has not released a patch for use, we can only do some emergency prevention.
1. Remove the .htr extension from the list of ISAPI DLLs
On your NT desktop, click "Start" -> "Programs" -> "Microsoft Internet Information Server" -> "Internet Service Manager"; Double-click "Internet Information Server"; mouse Right-click on the computer name and select "Properties"; select "WWW Service" in the "Main Properties" drop-down menu and click the "Edit" button; select the "Main Directory" folder, and click the "Configure" button, "Apply" Program Mapping "list box is selected. Htr's related mapping, select" Delete "and determine. 2. Install the patch provided by Microsoft, please pay close attention to the following URLs
http://www.microsoft.com/security
http://www.microsoft.com/security/products/iis/checklist.asp
Maybe some friends will feel unexpected, why I have used two major sets in the ASP article 17 and 18, I will focus on IIS, ASP security issues. If you are a web developer, ASP programmer, I think you should be able to Experience my intention. We conduct network programming, develop interactive websites, of course, in order to develop, build their own website, but this is based on security, including security, ASP or other network applications that have been developed to their own Protection of code, ensure the safe operation of the website server, ensure security and certification of user information, etc., the safety of e-commerce has become a key to real-time business operations, security is more important. Many friends in us are in the same manner as an ASP programmer, so familiar with the operation of the system, timely understand the system vulnerability, and the first time to solve the security problem is very important and necessary, so in this article At the end, the author will organize some security suggestions for NT, IIS system configuration, hoping to help everyone. 1. Use the latest version of Microsoft Internet Information Server 4.0, and install the latest version of Service Pack5, the server's file system does not use FAT, and NTFS should be used.
2, set the web directory of Sample, Scripts, Iisadmin, and MSADC in IIS to disable anonymous access and limit IP addresses. Before Microsoft has not provided patch, remove the application map of ISM.DLL.
3. If there is conditional, use a firewall mechanism. The easiest way to open in the front desk, the directory is placed in the background, and if you can serve a service, it is of course best.
4. Importats, CGI directories, Scripts directories, and Winnt directories To set detailed security permissions with NTFS, the Winnt directory containing registry information only allows administrators to fully control, and general users read only permissions. give. Any important document related to the system, in addition to Administrator, other accounts should be set to read-only permissions, not Everyone / full control.
5, only the service you need, Block off all ports that should not open, such as NetBIOS port 139, this is a typical hazard port; how to ban these ports? In addition to using the firewall, NT's TCP / IP settings also provide this feature: Open Control Panel - Network - Protocol - TCP / IP- Property - Advanced - Enables Security Mechanism - Configuration, which provides TCP and UDP ports Restrictions and IP protocol limits. 6. The administrator's account is set to be complex, it is recommended to add special characters.
7. Change the FTP, Telnet's TCP port to non-standard ports, usually I am set to 10,000 ~ 65000 range
8. Remove all shares that can be deleted, including printer sharing and hidden sharing such as ICP $, Admin $, etc. Most don't need to share.
IPC $: Applicable to remote management computers and view shared resources, it is best not to use
Admin $: actually is C: / Winnt, there is no need to share
C $: Log in to Admin and Backup-Operator users can access the C drive in mode // computer name / c $, although only local area networks, remote hackers have a way to disguise the login user of the LAN, so it should be turned off.
Print $: This is a directory of the printer driver, which is also a very dangerous entrance as the above.
Netlogon: This is the sharing of processing domain login requests. If your machine is the primary domain controller, there are other machines in the domain to log in, don't delete it, otherwise you can delete it.
How to close these sharing? Use Server Manager -> "Share Directory" -> "Stop Sharing"
9. Convert the ASP's directory centralized, ASP's program directory set detailed access, generally do not use "Read" permissions.
10. Remove the SAM._ file under WinNT, and practice the file that may be leaked by this may be deleted.
11. For known NT security vulnerabilities, test checks should be made on their own machines. And timelyly install the patch.
12. If necessary, the SSL security communication mechanism provided by IIS4.0 is used to prevent data from being intercepted online.